MAGISK MODULE ❯ Universal SafetyNet Fix 1.1.0

Search This thread

kdrag0n

Senior Member
Feb 19, 2016
622
1,678
kdrag0n.dev
Universal SafetyNet Fix
Magisk module​

This is a universal fix for SafetyNet on devices with hardware attestation and unlocked bootloaders. It defeats both hardware attestation and the new SafetyNet CTS profile updates released on January 12, 2021. The only requirement is that you can pass basic attestation, which requires a valid combination of device and model names, build fingerprints, and security patch levels.

Passing basic attestation is mostly out-of-scope for this module; this module is meant to defy hardware attestation, as well as reported "basic" attestation that actually uses hardware under-the-hood. Nonetheless, it features a few basic attempts at helping pass basic attestation on some devices, especially older devices and devices running stock ROMs.

No device-specific features (such as the new Pixel-exclusive Google Assistant design or screen-off voice match) will be lost with this fix.

Android versions 8–11 are supported. Heavy OEM skins are not officially supported, but they may work depending on your luck and the particular ROM in question. Please do not report problems on such ROMs.

How does it work?
The way this workaround works is relatively low-level. An in-depth explanation, as well as source code and ROM changes, can be found on GitHub.

Ideally, this workaround should be incorporated in ROMs instead of overriding part of the ROM in a Magisk module. The ROM changes for it are linked above for ROM developers to use.

Downloads
Downloads and changelogs can be found on GitHub. The topmost release is the latest.

Telegram group
Source code

If this helped you, please consider donating to support development: recurring donation for sustainable support or buy me a coffee. Thank you for your support!
 
Last edited:

tylerdurden

Senior Member
Oct 13, 2010
301
643
Hamburg
Tested succesfully on Pixel 4a 5G, but Google Pay says "Your phone doesn't meet security requirements" even though PayPal can be set up.
Magisk Hide is activated.
 

zgfg

Senior Member
Oct 10, 2016
5,127
2,421
Thank you a lot, Universal SafetyNet Fix v1.1.0 working excellent on Xiaomi Mi 9T, Xiaomi.eu 21.1.6, MIUI 12.5 / Android 11 Beta

Device certified but not using Google Pay
 
Last edited:

thomas140

Senior Member
Jul 3, 2018
641
139
Johor
Safety net fix 1.0.2 worked for miui Eu 12.0.3.0 Android 10 for Poco F1.
Only that the ocbc bank Singapore app still able to detect the root and became unusable.
But I know that this doesn't relate to safetynet fix here because the issue already existed before the CTS false.
 

MoL_82

Senior Member
Aug 16, 2019
74
18
Tested on Samsung S9:
- 1.0.2 worked in MM, but Root Checker said 'cannot access GPS'.
- 1.1.0 fails ctsProfile in MM, but Root Checker now can access GPS, also returns ctsProfile fail.
 

shchukax

Member
Jun 12, 2019
6
4
Massive thanks for this. Version 1.1.0 confirmed working on my device:
- Pixel 3, stock room
- Magisk 21.2, magisk manager 8.0.5
- Magisk hide enabled and magisk manager renamed

All banking apps and google pay work correctly, including contactless payments.
 
  • Like
Reactions: powerful111

Drahy

Senior Member
Apr 27, 2012
461
64
I tried this on my Samsung Galaxy A6 (official samsung firmware patched with magisk) - and even version 1.1.0 causes bootloop when using zip inside Magisk Manager - Android 10
 

Antonio200

Member
Nov 26, 2020
9
0
Good morning. Working on Redmi Note 9 Pro xiaomi.eu 12.0.1 Android 10. No MagiskHide Props Config needed: basicIntegrity passed, ctsProfile passed, evalType BASIC.
Thank you so much
 
Last edited:

purgy

Senior Member
Aug 29, 2013
78
10
Sydney
Works on pixel 3a, last A10 patch, using magisk hide props config to force basic attestation. Was already using mhpc so not sure if it works without it. Fixed my CTS issue though, so thanks!
 

dr4go

Senior Member
Dec 17, 2010
409
350
Vienna
@kdrag0n Thank you so much for this awesome masterpiece!

I find it a bit interesting, that I experience a problem which nobody else seems to have reported so far. I'm using a Galaxy S10 (Exynos, G973F), rooted with latest canary Magisk, no EdXposed or whatsoever...

If I enable this module, no bootloop, basic attestation, CTS passes. "Yes", so I thought...

The problem now... My bank app tries to access the keystore and crashes. This does not happen without having this module enabled... I have attached a fully logcat and hope that you have some insights... 🙏🏻

EDIT1: re-attached file, didn't work on the first go.

EDIT2: oh... search for "easybank" or "keystore"

EDIT3: Android 11, One UI 3
 

Attachments

  • logcat_01-14-2021_11-15-06.zip
    70.1 KB · Views: 359
Last edited:

BenDavid

Member
Sep 29, 2016
25
7
POCO F1 user here. After flashing the module the phone stucks on the Google logo at boot.
The MHPC module didn't solve the problem either.

ROM: Pixel Experience 11 Beta (20201223)/Encrypted
 

Top Liked Posts

  • 1
    Does this no longer work? I did absolutely nothing to my Pixel 3A and out of nowhere SafteyNet fails. It worked fine when I installed it in January up until about a week ago.
    Around a week ago could imply that it quit working when all Magisk checks quit working because of the Safetynet key issue. Which Magisk channel are you using (John fixed the issue already in Canary and will include the fix in public next time it gets pushed), and what is the error?
    1
    y

    I was aware of the issue being with Magisk but I downloaded the canary build and it still fails, which is confusing.

    I tried an app called "SafetyNet 'attest'" and I have no idea if it's good or not but it says I pass. I am not sure why Magisk says it is failing when I have the canary version installed.

    Searching the Google Play store for "Netflix" yields no results, meaning the phone is still detecting root somehow. It says my device is certified. I tried clearing data/cache for the Google Play Store and Google Play Services and then rebooted, but I still cannot search for Netflix.
    As mentioned, make sure hide is activated. If the attestation app is passing, then your issue is almost definitely a Magisk key/hide issue. You could try clearing data/cache in Magisk, re-download the safetynet files, turn on hide and reboot. Also, be sure that you didn't just install the canary version but are in the canary channel.
  • 3
    As far as I remember there is a limit in calling the SafetyNet API with a specific key. I suppose too many people are using Magisk's built-in SafetyNet-Check and now the contingent of calls is exceeded. That's also the reason the result of the call is 'error' and not 'failed'.
    3
    On twitter, @topjohnwu says it is his API key that needs updating (or something to that effect). Will be in a future update, apparently.
    2
    where i can get ?
    Magisk home page, downloads, Magisk Canary button:
    https://github.com/topjohnwu/Magisk#downloads or OctoPuss (cat) symbol from Magisk App. 🤠 PW
    2
    how did you update it? did you receive a push notification? that it still doesn't work for me
    Canary Channel was updated. He'll push to Beta & Stable after a few more bug fixes.
    2
    Hi,
    I'd need some help to bypass SafetyNet check.

    … and yet I can't bypass the SafetyNet check:
    "SafetyNet API Error:
    basicIntegrity Ꝋ
    ctsProfile Ꝋ
    evalType: N/A".

    What am I missing?
    Seems you're missing today's posts before yours, debating about the same SafetyNet API error (supposing you're talking about Magisk's integrated SafetyNet check), and testing with the alternative
    SN checker(s) instead 🥸
  • 173
    Universal SafetyNet Fix
    Magisk module​

    This is a universal fix for SafetyNet on devices with hardware attestation and unlocked bootloaders. It defeats both hardware attestation and the new SafetyNet CTS profile updates released on January 12, 2021. The only requirement is that you can pass basic attestation, which requires a valid combination of device and model names, build fingerprints, and security patch levels.

    Passing basic attestation is mostly out-of-scope for this module; this module is meant to defy hardware attestation, as well as reported "basic" attestation that actually uses hardware under-the-hood. Nonetheless, it features a few basic attempts at helping pass basic attestation on some devices, especially older devices and devices running stock ROMs.

    No device-specific features (such as the new Pixel-exclusive Google Assistant design or screen-off voice match) will be lost with this fix.

    Android versions 8–11 are supported. Heavy OEM skins are not officially supported, but they may work depending on your luck and the particular ROM in question. Please do not report problems on such ROMs.

    How does it work?
    The way this workaround works is relatively low-level. An in-depth explanation, as well as source code and ROM changes, can be found on GitHub.

    Ideally, this workaround should be incorporated in ROMs instead of overriding part of the ROM in a Magisk module. The ROM changes for it are linked above for ROM developers to use.

    Downloads
    Downloads and changelogs can be found on GitHub. The topmost release is the latest.

    Telegram group
    Source code

    If this helped you, please consider donating to support development: recurring donation for sustainable support or buy me a coffee. Thank you for your support!
    21
    I managed to fix the 3rd party app fingerprint issue on my Samsung w/ Android 10 (commented on this Github issue too). Basically the AOSP keystore is not fully compatible with the Samsung one so I decided to binary patch the one on my phone and ended up with this module. Now both fingerprint and SafetyNet works.
    Notes:
    - This disables key attestation for every app, idk if it breaks anything, nothing broke so far
    - Only change is the replaced system_sdk29/bin/keystore with the Samsung one (8 bytes modified)
    - Only works on Android 10
    - Might or might not work for you, use at your own risk.
    13
    Universal SafetyNet Fix v1.1.1 is now available.

    Changes
    • Removed security patch fixup to fix CTS profile mismatches on some devices

    Download

    Some devices will now need to use MagiskHide Props Config in addition to this module in order to pass CTS profile checks as part of basic attestation. Altering the CTS profile is no longer in scope for this module as it breaks more devices than it fixes.

    If this module helped you, please consider a recurring donation for sustainable support, or alternatively buy me a coffee. Everything helps, but a recurring donation is the best way to keep the project alive in the long term.

    Issues on heavy OEM skins
    This is a reminder that heavy OEM skins are not officially supported. They may happen to work depending on your luck and the particular ROM in question, but nothing is guaranteed. Please do not report problems on such ROMs. It's surprising that it works at all on them; I wouldn't expect everything to be fully working. I will not provide more support for issues related to heavy OEM skins.

    The compatibility issue does not lie in the SafetyNet fix itself, but rather how the Magisk module is built. It's possible to make the Magisk module version of the fix slightly more portable, but I have no interest in supporting heavy OEM skins, nor do I have any devices running such ROMs.

    You will always have the best luck with a ROM not too far from AOSP, e.g. most custom ROMs and Pixel stock ROMs.
    6
    Everyone having issues passing basic attestation after installing the module, please try the attached versions.

    There have been quite a few reports of fingerprint unlocking in apps breaking on One UI. This is not something that is planned to be fixed, because One UI is a heavy OEM skin that is not officially supported. It's surprising that it works on One UI to begin with.
    4
    There is no need to delete the whole Data, but go to Settings, Apps and delete Data for Google Play, Google Play Services, Google Services Framework, and probably Google Pay (not using, hence cannot tell for sure).
    Go to Airplane mode before deleting, after deleting reboot and turn Airplane off
    Deleting data of Google services framework acts as a partial factory reset and it might cause late/missing notifications of many apps. I would definitely advise to avoid doing it. 🙂

    It is enough to wait a little, Google play store should "recertify" device after some time automatically if it meets the criteria. Cache or data cleaning of Google play store app should speed up this process, but it's not mandatory in my experience.
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone